Request, load and use OS X code signing certificates --------------------------------------------------- This is a short step-by-step on how to generate a key in the Neo, create a certificate request, submit that request to apple, load the certificate in the Neo and use it for code signing. Prerequisites ------------- * a YubiKey Neo with the PIV application loaded * the yubico-piv-tool software * the OpenSC software * membership in the mac developer program Steps ----- 1. Generate a key in slot 9a: $ yubico-piv-tool -s 9a -a generate -o public.pem 2. Create a certificate request for app distribution: $ yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \ -S "/CN=Application/" -i public.pem -o application.csr 3. Generate a key in slot 9c: $ yubico-piv-tool -s 9c -a generate -o public.pem 4. Create a certificate request for installer distribution: $ yubico-piv-tool -a verify-pin -P 123456 -s 9c -a request-certificate \ -S "/CN=Installer/" -i public.pem -o installer.csr 5. Go to the Apple developer program page and submit the requests. 6. When the certificates are ready and approved, download them. 7. Load the certificates: $ yubico-piv-tool -a import-certificate -s 9a -K DER -i mac_app.cer $ yubico-piv-tool -a import-certificate -s 9c -K DER -i mac_installer.cer + NOTE: -K DER is available from version 0.1.3, with earlier convert to PEM and import. 8. Set a new chuid in the application to make sure nothing is cached for the key: $ yubico-piv-tool -a set-chuid 9. Re-plug the Neo and make sure the certificates show up under the keychain "PIV_II" in Keychain Access. 10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign